Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--insecure-skip-tls-verify forces plain HTTP making the skip-tls-verify part confusing #310

Closed
DerDackel opened this issue Aug 24, 2018 · 0 comments · Fixed by #311
Closed

Comments

@DerDackel
Copy link
Contributor

Hi everybody,

setting the --insecure-skip-tls-verify option seems to both disable TLS verification in the HTTP client doing the upload, but allso sets the Registry.insecure flag internally, which according to my understanding of its source code forces the scheme to plain http, rendering the former option superfluous.

Worse, I originally set the flag above when testing against an internal HTTPS-only registry with an internal CA, i.e. HTTPS is required, but the registry's certificate is unknown, but the flag resulted in the executor forcing plain HTTP.

I therefore find that the flag in its current form is confusingly named and eithe name or function should be altered.

One solution, which I've already implemented, would be splitting the flag into two distinct flags. One for allowing plain HTTP registries and one for skipping certificate verification. As this would change existing command line flags there is probably some additional pondering to do on this one.

Another way would be to try HTTPS with certificate verification disabled and falling back to HTTP if the connection attempt fails, but this seems more complicated and error-prone to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant